Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

comparing a field and external file

aniketb
Path Finder
‎07-25-2012 10:28 AM

Hello all,

I'm a very new splunk user. I have this question:

I have a list of verified hostnames. I can put them in any file, .txt or .csv, its just a list.
I also have my hostname field in logs correctly extracted.

I would like to set up an alert if the hostname doesn't match with any approved one from the list.

How should I go ahead with it? Answers or even pointers would be helpful.

Reply
1 Solution
Solved! Jump to solution
Solution

cburr2012
Path Finder
‎07-25-2012 11:45 AM

aniketb,

1) Create the list of verified hostnames as a CSV file. It is easy if the column containing the hostname values is the same name as Splunk's hostname. (i.e. if Splunk calls it "host=bob" your header should be "host" without the quotes.)

2) Open Splunk.

3) Navigate to Manager --> Lookups --> Add New --> Lookup Table File

4) Upload your file and name it hostname_lookup.csv (or whatever you want, have the filename end in .csv)

5) Under Manager --> Lookups --> Add New --> Lookup Definition

6) Name: hostname_lookup , lookup-file: hostname_lookup.csv

7) Now define your search query: index=this_index query_terms_here NOT [|inputlookup hostname_lookup | fields host]

😎 Set your time and click Create --> Alert

9) Schedule your alert and have it trigger when your results are great than 0.

Hope this helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

cburr2012
Path Finder
‎07-25-2012 11:45 AM

aniketb,

1) Create the list of verified hostnames as a CSV file. It is easy if the column containing the hostname values is the same name as Splunk's hostname. (i.e. if Splunk calls it "host=bob" your header should be "host" without the quotes.)

2) Open Splunk.

3) Navigate to Manager --> Lookups --> Add New --> Lookup Table File

4) Upload your file and name it hostname_lookup.csv (or whatever you want, have the filename end in .csv)

5) Under Manager --> Lookups --> Add New --> Lookup Definition

6) Name: hostname_lookup , lookup-file: hostname_lookup.csv

7) Now define your search query: index=this_index query_terms_here NOT [|inputlookup hostname_lookup | fields host]

😎 Set your time and click Create --> Alert

9) Schedule your alert and have it trigger when your results are great than 0.

Hope this helps.

Reply
Solved! Jump to solution

carmackd
Communicator
‎07-25-2012 10:34 AM

upload the host list as a lookup file (save as .csv) host column header named hostname

run this search

sourcetype=<my_sourcetype_name_here> NOT [|inputlookup <lookup_name_here>.csv | fields hostname]
Reply
Get Updates on the Splunk Community!

Digital Resilience Assessment Launch | How prepared are you for disruption?

Disruption is inevitable. The question is – how prepared are you to handle it? In today’s fast-moving digital ...

Buttercup Games: Further Dashboarding Techniques (Part 2)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Index This | What is the next number in the series? 7,645 5,764 4,576…

February 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...